kernel: further default sysctl hardening

• unprivileged bpf: we do not need this on our infra, we can assume bpf() calls will happen with CAP_SYS_ADMIN if required.

• unprivileged userns: we do not need this on our infra for none of our services or similar. Reduce attack surface by a huge margin including most recent CVE-2020-14386.

• kptr restrict: we already check for CAP_SYSLOG and real ids but we really do not require any specific kernel pointers to be logged. Settings this to 2 instead to blank out all kernel pointers to protect against info leak.

• kexec: disable kexec as we do never want to kexec our running servers into something else. Settings this sysctl disables kexec even if its compiled into the kernel.

• bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for the sacrifices off a bit performance for all users including privileged.

assigned to @svenstaro

approved this merge request

added 9 commits

• 9532c7da...b2876d08 - 8 commits from branch master
• c6ab605f - kernel: further default sysctl hardening

Compare with previous version

approved this merge request

Good to merge. Make sure to handle the rollouts everywhere!

added 3 commits

• c6ab605f...9a096d9f - 2 commits from branch master
• 0e06e487 - kernel: further default sysctl hardening

Compare with previous version

added 9 commits

• 0e06e487...0a6a5703 - 8 commits from branch master
• f1a3173e - kernel: further default sysctl hardening

Compare with previous version

added 10 commits

• f1a3173e...0d995b01 - 9 commits from branch master
• b2ba1877 - kernel: further default sysctl hardening

Compare with previous version

enabled an automatic merge when the pipeline for b2ba1877 succeeds

merged

mentioned in commit dd918741